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DETAILED ACTION 

This office action is responsive to communiciation filed May 23, 2007. Claims 1, 
2, 5 and 14 have been amended. Therefore, claims 1-6, 8-15 and 17-22 are pending in 
this application. 

Claim Rejections - 35 (JSC § 101 
1. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

Claims 5, 6, 8-15 and 17-22 are rejected under 35 U.S.C. 101 because the 
claimed invention is directed to non-statutory subject matter. 

Claims 5, 6 and 8-13 are directed to a method for adjusting access to a 
database. This claimed subject matter lacks a practical application of a judicial 
exception (law of nature, abstract idea, naturally occurring article/phenomenon) since it 
fails to produce a useful, concrete and tangible result. Specifically, the claimed subject 
matter does not produce a tangible result because the claimed subject matter fails to 
produce a result that is limited to having real world value rather than a result that may 
be interpreted to be abstract in nature as, for example, a thought, a computation, or 
manipulated data. More specifically, the claimed subject matter provides for a final step 
of adjusting authorized database accesses by changing settings. This produced result 
is not made tangible to a user, thus remains in the abstract and fails to achieve the 
required status of having real world value! 
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Claims 14, 15 and 17-22 are directed to a computer-readable medium containing 
instructions for adjusting access to a database. This claimed subject matter lacks a 
practical application of a judicial exception (law of nature, abstract idea, naturally 
occurring article/phenomenon) since it fails to produce a useful, concrete and tangible 
result. Specifically, the claimed subject matter does not produce a tangible result 
because the claimed subject matter fails to produce a result that is limited to having real 
world value rather than a result that me be interpreted to be abstract in nature as, for 
example, a thought, a conriputation, or manipulated data. More specifically, the claimed 
subject matter provides for a final step of adjusting authorized database accesses by 
changing setting. This produced result is not made tangible to a user, thus remains in 
the abstract and fails to achieve the required status of having real world value. 

Claim Rejections - 35 USC § 103 

2. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

3. Claims 1-3, 5, 8, 9, 11-14, 17, 18 and 20-22 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Mattsson (US Patent Application Publication 2003/0101355 
A1) in view of Ludwig et al. (US Patent Application Publication 2003/0167229 A1). 
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With respect to claim 1, Mattson teaches an apparatus for empirically adjusting 
access to a database, said apparatus comprising: 

coupled to the database, a database discovery module configured to determine 
database structure and authorized accesses to the database (paragraphs 32 and 34- 
36); 

coupled to the database, a command monitoring module configured to monitor 
actual accesses to the database (paragraphs 33 and 50); and 

coupled to the database discovery module and to the command monitoring 
module, an analysis module configured to compare actual accesses with authorized 
accesses and configured to adjust authorized accesses taking into account results of 
the comparing by changing settings within a database access control module 
(paragraphs 37-39, 42-46 and 52). 

Mattson does not teach denying future database access to operations by certain 
users on database tables and columns that were previously authorized but not observed 
by the command monitoring module. 

Ludwig teaches a modular business transactions platform (see abstract), in 
which he teaches denying future database access to operations by certain users on 
database tables and columns that were previously authorized but not observed by the 
command monitoring module (paragraph 51). 

It would have been obvious to a person having ordinary skill in that art at the time 
the invention was made to have modified Mattson by the teaching of Ludwig because 
denying future database access to operations by certain users on database tables and 
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columns that were previously authorized but not observed by the command monitoring 
module would enable Mattson's intrusion detection system to be used in processing 
financial transactions and would provide more security measures to prevent intrusion, 
thus providing more functionality (Ludwig, paragraph 51). 

With respect to claim 2, Mattson as modified teaches the apparatus of claim 1 
further comprising, coupled to the database discovery module and to the analysis 
module, a storage area configured to accumulate data generated by the command 
monitoring module (Mattson, paragraph 33). 

With respect to claim 3, Mattson as modified teaches the apparatus of claim 1 
wherein the command monitoring module is a sniffer (Mattson, paragraph 5). 

■With respect to claims 5 and 14, Mattson as modified teaches: 
discovering authorized accesses to the database (Mattson, paragraphs 32 and 
34-.36); 

observing actual accesses to the database (Mattson, paragraphs 33 and 50); 
comparing actual accesses with authorized accesses (Mattson, paragraphs 37 
and 42); and 

adjusting authorized database accesses taking into account results of the 
comparing step by changing settings within a database access control module to deny 
future database access to operations by certain users on database tables and columns 
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that were previously authorized but were not observed during the observing step 
(Mattson, paragraphs 37-39, 42-46 and 52; Ludwig, paragraph 51). 

With respect to claims 8 and 17, Mattson as modified teaches wherein the 
discovering step uncovers any: 

tables of the database (Mattson, paragraph 32); 

columns of the database (Mattson, paragraph 32); 

authorized users of the database (Mattson, paragraph 34); 

views of the database (Mattson, paragraph 32); 

stored procedures of the database Mattson, (paragraph 53); 

user-defined functions of the database (Mattson, paragraph 53); and 

triggers of the database (Mattson, paragraph 53). 

With respect to claims 9 and 18, Mattson as modified teaches wherein the 
adjusting step comprises at least one of: 

suggesting revised database access control settings to a database administrator; 
automatically hardening the database for all times of day (Mattson, paragraph 

48); 

automatically hardening the database selectively based on time of day; 
alerting a database administrator (Mattson, paragraphs 43, 44 and 46); and 
continuing to monitor accesses to the database after conclusion of the observing 

step. 
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With respect to claims 1 1 and 20, Mattson as modified teaches wherein the 
database is automatically hardened using database specific application programming 
interfaces (Mattson, paragraphs 46 and 48), 

With respect to claims 12 and 21, Mattson as modified teaches wherein the 
observing step has a preselected duration (Mattson, paragraph 50). 

With respect to claims 13 and 22, Mattson as modified teaches wherein the 
observing step is performed until a preselected quantity of actual accesses have been 
observed (Mattson, paragraphs 33 and 50). 

A preselected quantity can be any number of accesses, including just one 
access. 

4. Claim 4, 10 and 19 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Mattsson (US Patent Application Publication 2003/0101355 A1) in view of Ludwig 
et al. (US Patent Application Publication 2003/0167229 A1), as applied to claims 1-3, 5, 
8, 9, 11-14. 17. 18 and 20-22 above, and further in view of Low et al. ("DIDAFIT: 
Detecting Intrusions in Databases through Fingerprinting Transactions") ('Low'). 

With respect to claim 4, Mattson as modified teaches claim 1 . 
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Mattson as modified does not teach wherein the database is a relational 
database accessed by a structured' query language. 

Low teaches a method for using fingerprints to detect illegitimate accesses to 
databases (see abstract) in which he teaches wherein the database is a relational 
database accessed by a structured query language (abstract). 

It would have been obvious to a person having ordinary skill in the art at the time 
the invention was made to have further modified Mattson by the teaching of Low 
because wherein the database is a relational database accessed by a structured query 
language would enable a fingerprinting process to be used to detect anomalous 
database accesses involving SQL statements (Low, column 1, page 122). 

With respect to claims 10 and 19, Mattson as modified teaches wherein the 
database is automatically hardened using standard SQL commands (Low, abstract, 
page 126, column 1; Mattson, paragraphs 46 and 48). 

5. Claims 6, 7, 15 awKfrare rejected under 35 U.S.C. 103(a) as being 
unpatentable over Mattsson (US Patent Application Publication 2003/0101355 A1) in 
view of Ludwig et al. (US Patent Application Publication 2003/0167229 A1), as applied 
to claims 1-3. 5, 8, 9. 11-14, 17, 18 and 20-22 above, and further in view Vaitzblit et al. 
(US Patent Application Publication 2005/0097149 Al) (Vaitzblif). 

With respect to claims 6 and 15, Mattson as modified teaches claims 5 and 14. 
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Mattson as modified does not teach further comprising the step of generating at 
least one third party report based upon observing actual accesses to the database. 

Vaitzblit teaches a data audit system (see abstract), in which he teaches further 
comprising the step of generating at least one third party report based upon observing 
actual accesses to the database (paragraphs 11 and 48-51). 

It would have been obvious to a person having ordinary skill in the art at the time 
the invention was made to have further modified Mattson by the teaching of Vaitzblit 
because teach further comprising the step of generating at least one third party report 
based upon observing actual accesses to the database would enable an efficient data 
audit system that would help organizations address data privacy and security issues 
(Vaitzblit, paragraph 7), and to additionally detect anomalies (Vaitzblit, paragraph 19). 

Response to Arguments 

6. Applicant's arguments with respect to claims 1-4 have been considered but are 
moot in view of the new ground(s) of rejection. 

7. Applicant argues that claims 5, 6, 8-15 and 17-22 recite patentable subject 
matter. Examiner .disagrees. The manipulation of data does NOT represent patentable 
subject matter under 35 U.S.C 101 . The recited subject matter fails to produce a result 
that is tangible to a user. 
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Conclusion 

8. Applicant's arnendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Alicia M. Lewis whose telephone number is 571-272- 
5599. The examiner can normally be reached on Monday - Friday, 9 - 6:30, alternate 
Friday off. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Charles Rones can be reached on 571-272-4085. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-djrect.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic . 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Alicia Lewis 
Augusts, 2007 




